Full disclosure--two views collide

by Andy Oram

At last Thursday's
Ignite Boston,
which I wrote up in a
previous blog,
provided an unexpected mirror in which two opposing views shined on
each other, each view provided by one of the two keynotes by John
Viega and Jonathan Zdziarski.

Both Viega and Zdziarski.are security experts and authors of books by
O'Reilly and other publishers. Viega used the bully pulpit for an
entreaty against the "full disclosure" philosophy, a fundamental
article in the open source catechism. Zdziarski, who had not consulted
with Viega beforehand, endorsed full disclosure whole-heartedly and
with a doggedly pragmatic intent. The context for Zdziarski's
approach is the Apple iPhone, which has security vulnerabilities that,
in his experience, Apple doesn't fix until they're made embarrassingly
public.

Today Zdziarski sent me a long and frightening
article from the National Journal
about the threat of cyberwar. Although the basic premises in the
article have been circulating for years, many of the details were new
to me. And despite the focus of the title on China, the article makes
it clear that governments as well as individuals (the "cyber-militia")
are engaging in disruptive behavior around the world. In fact, the
article cites worries about what may be happening in the NSA.

It seems to me that the National Journal article provides more fodder
for Viega than Zdziarski. Veiga insisted that the black hats planning
DDOS attacks and identity theft aren't as smart as they are commonly
made out to be. They couldn't create as much havoc if they had to rely
only on the vulnerabilities they found themselves. They are helped
immeasurably, he said, by the revelations of vulnerabilities in major
software products by people with no malicious intent. The worldwide
database of known vulnerabilities is swelled by individuals trying to
show off their technical chops, and by companies in the security
business trying to demonstrate the indispensibility of their products.

So long as software vendors are slow to fix bugs, full disclosure has
to be an option, a kind of last resort, and I think Viega allowed for
this. Open source projects have to promote a sense of responsibility
among contributors to be discreet in reporting bugs with security
implications. Perhaps it doesn't matter much anyway--because most
people keep using unpatched versions of software long after fixes come
out.

Sign up today to receive special discounts, product alerts, and news from O'Reilly.